Subject: Re: Easy to follow NAMED & SSHD....
To: Mark Benson <mdb299@soton.ac.uk>
From: Don Yuniskis <auryn@gci-net.com>
List: port-mac68k
Date: 01/01/2002 02:54:31
>At 8:57 PM -0700 12/31/01, Don Yuniskis wrote:
>>Hmmm... can I ask why you gave each machine two names?
>>Neither appear to be dual homed... ?
>
>No particular reason...just nice to have optioms ;-)
Oh.
>>Yes. And, depending on your ISP, if that bogus domain name
>>starts appearing in the envelope of your outbound email, your
>>ISP's mail server may decide to reject mail from you (been
>>there, done that, got the T-shirt to prove it...)
>
>Yeah, uou should either not run a mailserver or should use the
>masquerade-as directive.
Yes.
>>Note that CNAMEs can be a problem with some tools.
>
>Probably 75% of all DNS names are CNAMEs...I've never found anything
>that couldn't be done with them. The figure wasn't based on any
>statistic...just the fact that most computers have at least 1
>CNAME...many have multiple CNAMEs. There are many sites, for
>instance, with a single computer acting as www.x.com, ftp., pop3.,
>smtp., mail., etc. Also, most web hosting services host numerous
>websites on each computer, often with name-based virtual hosting.
>This wouldn't work if there were issues with using CNAMEs.
CNAMES are huge sources of potential screwups...
Fred.foo.com CNAME Larry.baz.com
Do you know Larry.baz.com really exists? Will it *continue*
to exist (i.e. it is probably under a different SOA and
folks there might remove/rename it at any time...)
Fred.foo.com CNAME Barney.foo.com
...
Barney.foo.com CNAME Fred.foo.com
Ooops! :> And, of course, Barney might be in a different
SOA and point back to Fred (i.e. someone else might be
administering that zone and "you" are unaware of the change
he just made...). Sounds silly to point arbitrary names
at each other? Maybe look at it using a different set of
(vanity) names:
WWW.foo.com CNAME WWW.baz.com
...
WWW.baz.com CNAME WWW.foo.com
I.e. guy at baz decides that foo will now be serving up
the web pages -- unaware that foo has already decided
that baz will be doing this...
foo.com NS DNS.foo.com
...
DNS.foo.com CNAME somehost.foo.com
Remember, each "foo" could just as easily be a "baz"
(i.e. in a different SOA)
foo.com MX Mail.foo.com
...
Mail.foo.com CNAME somehost.foo.com
Actually, this case is legal (I *think*) per RFC's
but can/will break some mailers. I think sendmail
has flip-flopped over the years re: whether it
does a lookup on the returned CNAME or just barfs...
You also have subtle issues like IP based
authentication which can get hosed...
fred.foo.com ultimately resolves to x.x.x.x.
Do a reverse lookup on x.x.x.x (to fight spoofing) and
you find barney.foo.com. (Or, perhaps barney.baz.com)
Hmmm... fred.foo.com != barney.baz.com... is this a
hacking/spoofing attempt??
Etc. (at ~3AM I'm not too excited about thinking up
other examples... :>)
Note that verifying a "correct" configuration can be
difficult. Since servers cache entries for the TTL,
your attempt to resolve barney.baz.com, for example,
to verify that it is an A record, might yield one
answer *now* even though the actual named database
has already been changed (i.e. the TTL hasn't expired
yet to cause an update).
As I said previously, DNS is not trivial to set up
*right*...
--don